• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

3com Vlans & WAP for multiple (20) offices and shared Internet

I need so help configuring a 3com 4500 switch and a watchguard X550e firewall to do the following:

The customer has an office building with 20 seperate business that need Internet access and VOIP capability. We are installing a mitel VOIP phone system for all offices as well.

We need to create a seperate Vlan for data (& connection to the Internet through the Watchguard Firewall) for each office. We would like to use the 3com's Auto oice VPN for the IP Phones. We will also be providing some hosted servers that the Data Vlans will need access to (A seperate "Server farm" Vlan).

The customer would also like to provide wireless access for each office as well as a Public (Open) WIFIi connection for the conference room. We will use 3 com 8760 WAPs for this, but I'm not sure how to get the appropriate wireless clients into their respective vlans. Is this even possiple?
Ideally all Vlan clients would get their IP address form the DHCP server in the watchguard, but Don't think the Watchguard can handle that.

  • 3
  • 2
1 Solution
WG support VLANs with the following limitations:
" You must have Fireware Pro installed on your Firebox [purchased seperately].
" VLANs are supported from trusted and optional interfaces only. The external interface does not
allow VLAN configuration.
" WatchGuards VLAN implementation does not support the spanning tree link management
" If your Firebox is configured with a drop-in configuration, you cannot use VLANs.
" One Firebox physical interface can be an untagged VLAN member of only one VLAN. For
example, if eth0 is an untagged member of a VLAN named VLAN-1, it cannot be an untagged
member of a different VLAN at the same time.
" A Firebox interface can send untagged data to only one VLAN.
" A Firebox interface can receive untagged data frames for only one VLAN.
" Your Firebox model and license controls the number of VLANs you can add to the Firebox. To see
the number of VLANs you can add to your Firebox, use Policy Manager to select Setup >
Licensed Features. Click the Active Features button and find the row labeled VLAN.

All network segments you want to add to a VLAN must have IP addresses on the VLAN network.

You need to use WG software version 9.0 for VLANs.

You can configure the Firebox as a DHCP server for the computers on your VLAN network.
1. Select the Use DHCP Server radio button to configure the Firebox as the DHCP server for your
VLAN network.
2. To add an IP address range, click Add and type the first and last IP addresses assigned for
distribution. Click OK. You can configure a maximum of six address ranges.
3. To reserve a specific IP address for a client, click Add next to the Reserved Addresses box. Enter a
name for the reservation, the IP address you want to reserve, and the MAC address of the clients
network card. Click OK.
4. Use the arrow buttons next to Leasing Time to change the default lease time.

Hope this helps. Please let me know if you need more details.

Thank you.
mbrieseAuthor Commented:
That is some great information. With a need for 20 vlans all with DHCP assigned address and with the need for Internet access, it sounds like to firebox wiil not support this. What would you do to provide "private" networks to 20+ offices and share 1 Internt connection?
Well you have option to create secondary networks on one single interface in WG. So, theoretically you can create 20 secondary networks and then define VLAN for each one of them; normally when you create secondary networks as they are defined on one single port of the firewall device the traffic can flow between them. But in your case you would be defining VLANs and DHCP for each secondary network that you create so this should work.

I am also not sure that with Fireware Pro when creating secondary networks if you get an option to define VLANs, I think you should get the option. If you do get an option for VLANs, I think then the setup you want should work.

I have not tested this solution myself so didn't put it in the post earlier but I think it can be tried.
mbrieseAuthor Commented:
This is what I was thinking, however it appears that the firebox onl supports up to 6 DHCP scopes. I am also wondering how it would determine what Scope to pull the ip address for each vlan. Additionally I may be wron, but I think the firebox will provide routing between the secondary networks. If so is there a way to prevent this?

The secondary networks are on the same physical interface and the traffic is allowed by default. I am not sure but I think we can define "Any" service to block traffic between the subnets [Again never worked on a scenario like this and don't have setup to test :(]. Something like:
Policy->Denied; from,; to,

If DHCP scope is a limitation then I do not think FB would suit your scenario. I think as we would associate each DHCP server according to VLAN and we specify IP as well while defining VLANs; this should help setting DHCP for one VLAN only but as I have not tried the scenario I am not sure.

Frankly I am not sure how VLANs respond as far as WG is concerned.

One solution is, If you put a router behind WG then WG would not do any VLAN and route management. You can configure the router as not to allow any traffic between the subnets and to respond to VLANs. On WG you can keep one subnet and one interface of router would be on the same subnet. For the other subnets you can define routes on the WG.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now